Important information for all WooThemes Customers

Written by Mark Forrester on May 9, 2014 Woo news.

Over the past 3 days we have had a handful of reports of fraudulent activities on customer’s credit cards. We take these matters very seriously and immediately investigated each case to try and determine any pattern and the severity of any potential breach.

It must be made clear that we do not store any credit card details on our site, nor does WooCommerce, which makes this investigation that much more difficult to pin point.

Steps we’ve taken:

  • We contacted Sucuri who have conducted a code & security audit
  • We requested a full review by our host and payment gateway
  • We updated our SSL certificate
  • As a pre-cautionary measure we changed our payment gateway to a completely offsite payment method – being PayPal Express.

Sucuri discovered 3 modified files on our server pointing towards an attack. It can not be said this is the reason for any leaked credit card information, and investigations continue.

To be on the safe side we urge all customers to check their cards for any fraudulent activity and letting both us and your bank know if you discover any unusual charges.

We realise every word will be scrutinised in any official response from us, as will the timing of our communication. We apologise for any inconvenience or panic caused. Our team are working as fast as humanly possible to get to the bottom of this and we will update you with any further news as soon as we have any.

Please contact us if you have any questions.

Update (Friday 9 May 2014 12.30pm GMT+2) – Fraudulent reports

After publishing this post, and sending out an email to all our 230,000 newsletter subscribers, we have had numerous more cases reported. At the moment we have about 300 fraudulent cases reported in total. We are busy analysing all reported fraudulent transactions to discover a pattern. Almost all fraudulent transactions have occurred in the last 5 days. With most customers already informed by their banks and transactions blocked or cards cancelled. We are truly sorry for this inconvenience, and appreciate all our customers emails and understanding of this difficult situation. You have been so supportive!

Whilst the fraudulent activity has happened in that period, the actual transactions on WooThemes do (in a very small number of cases) go back to the beginning of the year. This doesn’t add up and further audits are being conducted.

Without jumping to conclusions, and as already mentioned we do not store credit card details so we believe this information was potentially intercepted in the checkout process.

Update (Friday 9 May 2014 6pm GMT+2) – No WooCommerce vulnerability

There is still no indication of any vulnerability within our WooCommerce plugin, our themes or our extensions. We’ve thoroughly audited all our products and moved the product downloads as a precautionary measure. This attack was targeted at WooThemes.com.

Update (12 May 2014 3pm GMT+2) – Passwords reset

Our investigations have been extensive, as have the audits and technical analyses by Sucuri, our payment gateway, and our host. We have not left a stone unturned and actioned some drastic precautionary security measures. Financial institutions and the authorities continue their investigations.

Subsequent to the newsletter to our 230,000 customers we now have close to 1000 reported cases. The one positive is the occurrence of these reports has now drastically slowed down. We realise many people may have not read their email, and we still encourage all our customers to be aware and vigilant of any suspicious activity on their credit cards.

At this time we do not foresee any conclusive reports on how our system was infiltrated, and we might never know. Whilst the analysis is ongoing, we need to focus on what we can do now.

All customer passwords have now been reset as a precautionary measure. You can create a new strong and unique password here (read the knowledgebase article helping you to do that).

As mentioned before, we do not store any customer financial records on our system, but your WooThemes password safety is very important to us. We apologise for the inconvenience.

We are well aware of the media eye on us at the moment, and need to be very cautious of what is said, given the likely increased interest in our site from criminal minds. With that said, our transparency and speed at which we’ve reacted, coupled with the amazing support from our community means we’ve come out of this testing chapter with scars, yet no life threatening conditions. We’re determined to make WooThemes even stronger.

We have posted another update in a subsequent blog post.